[go: up one dir, main page]
Share feedback
Answers are generated based on the documentation.
{ const container = $el; // The div with overflow const item = document.getElementById('sidebar-current-page') if (item) { const containerTop = container.scrollTop; const containerBottom = containerTop + container.clientHeight; const itemTop = item.offsetTop - container.offsetTop; const itemBottom = itemTop + item.offsetHeight; // Scroll only if the item is out of view if (itemBottom > containerBottom - 200) { container.scrollTop = itemTop - (container.clientHeight / 2 - item.offsetHeight / 2); } } })" class="bg-background-toc dark:bg-background-toc fixed top-0 z-40 hidden h-screen w-full flex-none overflow-x-hidden overflow-y-auto md:sticky md:top-16 md:z-auto md:block md:h-[calc(100vh-64px)] md:w-[320px]" :class="{ 'hidden': ! $store.showSidebar }">
Manuals

Use a Docker Hardened Image in Kubernetes

Table of contents

Authentication

To be able to use Docker Hardened Images in Kubernetes, you need to create a Kubernetes secret for pulling images from your mirror or internal registry.

Note

You need to create this secret in each Kubernetes namespace that uses a DHI.

Create a secret using a Personal Access Token (PAT). Ensure the token has at least read-only access to public repositories. For Docker Hardened Images replace <registry server> with dhi.io. If you are using a mirrored repository, replace it with your mirror's registry server, such as docker.io for Docker Hub.

$ kubectl create -n <kubernetes namespace> secret docker-registry <secret name> --docker-server=<registry server> \
        --docker-username=<registry user> --docker-password=<access token> \
        --docker-email=<registry email>

To tests the secrets use the following command:

kubectl apply --wait -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: dhi-test
  namespace: <kubernetes namespace>
spec:
  containers:
  - name: test
    image: bash:5
    command: [ "sh", "-c", "echo 'Hello from DHI in Kubernetes!'" ]
  imagePullSecrets:
  - name: <secret name>
EOF

Get the status of the pod by running:

$ kubectl get -n <kubernetes namespace> pods/dhi-test

The command should return the following result:

NAME       READY   STATUS      RESTARTS     AGE
dhi-test   0/1     Completed   ...          ...

If instead, the result is the following, there might be an issue with your secret.

NAME       READY   STATUS         RESTARTS   AGE
dhi-test   0/1     ErrImagePull   0          ...

Verify the output of the pod by running, which should return Hello from DHI in Kubernetes!

kubectl logs -n <kubernetes namespace> pods/dhi-test

After a successful test, the test pod can be deleted with the following command:

$ kubectl delete -n <kubernetes namespace> pods/dhi-test